Integrated Form Authentication in ASP.Net Web API


This article explaiins Form Authentication and how we can integrate it into the Web API.

What is Form Authentication

Form Authentication is used to send the references of the clients to the server in the HTML form. It is applicable for the Web API only that are calling from the Web Application. By which the client interact with the HTML form.


The advantages of Form Authentication are:

  • It is easy to implement in the ASP. NET.
  • It provides the ASP. NET Membership that makes it easy to manage the user accounts.


The disadvantages of Form Authentication are:

  • It has the requirements of the browser client.
  • The references are sent to the server as plaintext.
  • It is difficult to use the nonbrowser client.
  • The client references are sent as the request.
  • There are some users that require cookies.

How Form Authentication works


  • The client is sent the request for the resource for the authentication.
  • The server returns 302 (Found) if the client is not authenticated and redirects for the login.
  • After that the client enters the references and submits the from.
  • Again the server returns the other HTTP 302 and redirects back to the original URI. Now this response includes an Authentication code.
  • Now the client again sends the request that includes the cookie for the resource to the server, the server grants the request to the client.

Integrated windows Authentication

Integrated Windows Authentication provides the client for login with the references using the Kerberos and NTLM. It is appropriate for the internet environment. The user sends the References to the Authorization header.

Advantages of the integrated windows Authentication

  • This application is built in the IIS.
  • It does not send the client references in the request.
  • There is no need to enter the references if the user computer belongs to the domain.

Disadvantages of the integrated windows Authentication

  • It is not approved for the internet application.
  • There is a requirement of the Kerberos or NTLM for supporting the client.
  • It is necessary that the client exist in the Active directory domain.

For creating the application to be integrated with the Window Authentication. From the Visual Studio select the "MVC4 application". And select the "Internet Application" from the Template window of the MVC 4 wizard.

We set this code in the "Web.config" file.


    <authentication mode="Windows" />


At the client side, Windows Authentication can work on any browser but that browser supports the Negotiation authentication scheme, that includes the major browsers. There is the HttpClient class that supports the Windows Authentication for the client application.

HttpClientHandler handler = new HttpClientHandler()


                UseDefaultCredentials = true



            HttpClient client = new HttpClient(handler);